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Attorneys for Defendants Southfork Security, Inc. 
and Corey Thuen 



UNITED STATES DISTRICT COURT 



FOR THE DISTRICT OF IDAHO 



BATTELLE ENERGY ALLIANCE, LLC, a 
Delaware limited liability company 

Plaintiff, 



vs. 



SOUTHFORK SECURITY, INC., an Idaho 
corporation, COREY THUEN, an individual, 
and DOES 1 through 10, inclusive, 

Defendants. 



Case No. 4:13-cv-00442-BLW 
DECLARATION OF COREY THUEN 



I, Corey Thuen, declare as follows: 

1 . I am over 18 years of age and competent to testify as to the matters asserted 
herein if called to do so. This declaration is based on my own personal knowledge. 

2. I reside in Idaho Falls, Idaho. I have lived there since June 2009. 

3. I am a named defendant in this action, and I am the president and co-owner of the 
other named defendant, Southfork Security, Inc. ("Southfork"). Southfork was formed as an 
Idaho corporation on or about May 7, 2012. 



DECLARATION OF COREY THUEN - 1 



46556.0001.6141445.10 



Case4:13-cv-00442-BLW Document 16-1 Filed 10/22/13 Page 2 of 9 



Programming Skills 

4. I am a computer programmer. I have been writing code for at least 14 years, and I 
am conversant with coding in several programing languages, including but not limited to C, C++, 
Javascript, HTML, Java, Perl, and PHP. I was proficient in those languages before the onset of 
my employment, described below, with Plaintiff Battelle Energy Alliance, LLC ("Battelle"). 

Job at Battelle 

5. My job title when Battelle hired me in or about July 2009 was "Cybersecurity 
Researcher." My job duties included conducting vulnerability assessments of computer systems 
and components (primarily critical infrastructure systems), writing code for various projects, 
system administration, and additional miscellaneous tasks. In other words, my job was to hack 
into systems used to run critical infrastructure, like power systems, water treatment plants, 
chemical plants, etc. I worked with the creators and asset owners of these systems to find 
security problems so they could fix them. 

Security Professional 

6. As a cybersecurity professional, I am aware of, and possess ability for, many 
"hacking" techniques that may be used in illegal ways, but I put them to use improving my 
customers' security. In other words, I'm much like a locksmith who possesses the ability to pick 
a lock and uses his knowledge to help as a contributing member of society. Battelle paid me to 
do precisely this type of work from the period of on or about July 1, 2009, to on or about 
February 25, 2013. In my career, I have held government clearances with the Federal Bureau of 
Investigation and the United States Department of Energy, which required me to pass multiple 
lie detector tests, psychological tests, extensive background checks, and other miscellaneous 
tests. 
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Sophia Familiarity 

7. I was assigned to become part of the Battelle team researching, designing, and 
coding software known as the Sophia Industrial Control System Computer Network 
Fingerprinting Tool ("Sophia"). 

8. As one of the architects of Sophia, I am familiar with aspects of its architecture, 
structure, and programming languages. I am intimately familiar with the components that I 
personally designed and authored and less familiar with components I did not author. Sophia 
was written using the C programming language. To my knowledge, it makes minimal use of 
open source libraries. 

9. Battelle intended to commercialize Sophia, upon its completion, by licensing it to 
a third party. While working on Sophia, I became interested in bidding for the license to Sophia. 
I formed Southfork partly for the purpose of potentially submitting a bid. 

10. Also while working on Sophia, I created, on my own initiative and without 
direction from Battelle, some promotional videos to showcase Sophia's capabilities. I provided 
those vides to Battelle, which posted them to the Sophia homepage ( http : //sophiahome . inl . go v) . 
In or about June 2012, when Southfork was a potential licensee of Sophia, I mirrored those 
videos to the Southfork youtube channel. Battelle legal contacted me and asked that I remove 
the videos from the Southfork youtube channel and remove any links to them from Southfork' s 
website. I promptly complied. 

11. I have had no access to Sophia since on or about August 2, 2012, when Battelle 
removed me from the Sophia project, moved my desk away from the remaining Sophia 
developers, and revoked my access to Sophia files. These steps were taken because of my 
interest, through Southfork, of licensing Sophia upon its completion, which was perceived as a 
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conflict of interest with my continuing to work on Sophia. I remained employed by Battelle, 
working on other projects. 

Leave of Absence 

12. I took a one-year unpaid professional leave of absence from Battelle beginning on 
or about February 25, 2013. The terms of the leave of absence entitled me to pursue my own 
business interests. I completed conflict-of-interest paperwork and spoke with representatives in 
the Battelle Conflict of Interest office (in particular a Mr. Moriarty) and was informed that my 
proposed involvement in Southfork was permissible. 

13. Although I had been scheduled to return to work at Battelle on or about February 
25, 2014, Battelle terminated the employment relationship on or about June 27, 2013. 

Development of Visdom 

14. On or about March 1, 2013, 1 began writing a computer program known as 
"Visdom," with the assistance of a co-developer, Kristopher Watts. The purpose of Visdom is to 
improve network security and situational awareness, particularly for critical infrastructure. We 
intended it at all times to be open source and freely available to the public at no charge. I think 
that no utility, company, or individual should be without network security because of the size of 
its checkbook. Southfork plans to earn money from Visdom through the sale of support 
contracts and proprietary add-on modules. 

15. Visdom was written in HTML, Javascript, and Go. As previously mentioned, 
Sophia was written in C. Visdom is not a translation of Sophia from C to the languages in which 
Visdom is written. We did not have the Sophia code when we created Visdom. 

16. Further, a program written in one programming language cannot be cut-and- 
pasted into another programming language. Programming languages have different 
lexicographical grammars. As an example, if I'm writing code in C I have to deal with memory 
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management; I have to keep track of the resources used by my programs. Javascript has no such 
concept, and any C code that does these functions would be impossible to translate into 
Javascript. Further, Javascript is an interpreted language and C is a compiled language. In other 
words, C creates software that runs on hardware, whereas Javascript creates software that runs in 
programs that run on hardware. 

17. No two programmers who translate from one language to another, or from C to 
Javascript in particular, would produce the same output for any complex program. Those two 
languages, and their paradigms, are incompatible. A program written in C will inherently solve 
the problem to which it is directed in a different way than a program directed at the same 
problem but written in Javascript. 

18. In developing Visdom, I specifically avoided any code, modules, sequences, 
routines, structures, screenshots, or any other materials that may have constituted some part of 
Sophia, based on my knowledge of Sophia as of the end of my access to it on or about August 2, 
2012. Visdom is intended to solve the same problems as Sophia, but it is not a copy of Sophia, 
just as an electric car is not a copy of a gas-powered car simply because both are used for the 
same purpose. 

19. Visdom, unlike Sophia, makes heavy use of third party open source libraries to 
accomplish many of the tasks for which the Sophia development team had to write code 
ourselves. An example for illustration: as part of my work on Sophia, I created a scrollbar from 
scratch, which means I had to implement the click and drag behavior (along with buttons) that 
causes a scrollbar to do what the average user expects a scrollbar to do. Visdom, on the other 
hand, builds on top of other, third party components that make scrollbars inherent. In other 
words, on Sophia development I spent significant time creating basic components to a user 
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interface, whereas Visdom did not require such efforts. Visdom's heavy use of open source 
libraries facilitated its development in a matter of several months. 

Visdom Source Code Availability 

20. On or about July 18, 2013, 1 placed the source code for Visdom in an open source 
repository on the Internet called github.com. See http s : //gifhub .corn/vi sdom/ . Since that time, 
the actual source code for Visdom has been freely and publicly available to all persons, including 
Battelle, and it can easily be located through a Google search for "Visdom." I placed the source 
code for Visdom on github.com as a means of fostering collaboration among code writers and 
creating opportunities for programmers to write applications that work with Visdom. I would 
not have done it if I intended to hide Visdom from Battelle. Github.com is well known among 
computer programmers and is among the most popular Internet repositories for open source 
software. The other Battelle architects of Sophia undoubtedly are familiar with it. Further, the 
placement of the Visdom source code on github.com reveals nothing about the Sophia source 
code because the respective source codes are not the same and no one can use the Visdom source 
code to "reverse engineer" or otherwise gain insight into the Sophia source code. 

21. Visdom's co-developer, Kristopher Watts, took a job with Battelle as a 
cybersecurity researcher after the source code for Visdom was placed on github.com. It is my 
understanding, based on my knowledge of the Battelle conflict-of-interest disclosure and 
mitigation process, as well as based on a conversation with Watts that took place before this 
lawsuit was filed, that, upon his employment with Battelle, Mr. Watts submitted conflict-of- 
interest paperwork to Battelle in which he explicitly declared his intent to continue contributing 
code to Visdom, as well as provided a link to where Visdom can be found on the GitHub 
repository. 
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Sophia Commercialization Withdrawal 

22. Southfork submitted a bid to license Sophia from Battelle. However, Southfork is 
passionate about open source software and security, and it became clear that open source did not 
fit in with the goals of Battelle' s technology deployment personnel. I disagree with Battelle that 
security software like Sophia or Visdom cannot be open source because then hackers would have 
access to the source code. Security systems are better served by being open source so that 
complicated things, like cryptographic algorithms and implementations, can be reviewed by 
independent expert auditors rather than sitting behind smoke screens. The plethora of open 
source software used in secure systems today completely debunks the notion that you cannot 
have valuable and secure software that is also open source. Battelle' s view that security software 
cannot be open source is like thinking that, because an individual knows the inner workings of a 
camera design, he can make himself invisible to the camera. 

23. In addition to this philosophical difference, the Sophia bid process was slow- 
moving and often contentious, causing me to think it would be faster and easier simply to write a 
Sophia competitor from scratch. That is what Southfork decided to do — move on from the 
Sophia license bid and to release our own open source, free software, defensive tool for critical 
infrastructure. And it was faster and easier to develop Visdom than to pursue the Sophia license. 
We released our own, 100% original product before the Sophia bid process ended. 

Meeting with Michael Sayre 

24. I met with Michael Sayre of NexDefense in our about July 2013 in a local 
brewery in Idaho Falls. My purpose for the meeting was to engage NexDefense in a business 
relationship and assess whether we would have any future working together. Mr. Sayre did ask 
if I had taken any intellectual property from Idaho National Laboratory, to which I consistently 
and repeatedly replied that Visdom was a "made from scratch, clean room implementation" that 
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seeks to solve the same problems of Sophia. In that meeting, I also shared that Visdom was 
written in an entirely different language to illustrate this point. Also during this meeting, I 
explained how we were able to author Visdom so much more quickly than Sophia had been 
authored. 

25. Any comment that I made to Mr. Sayre on the quality of Sophia source code 
would have been in reference to the code I wrote on the Sophia project. I have not had enough 
experience with the rest of the Sophia code base to comment on the quality of the work. 

Business Impact 

26. Visdom is only part of Southfork's business. If Southfork — a growing, Idaho- 
based, start-up computer security business — is prohibited from operating its website pending 
trial, Southfork will be unable to attract customers and continue in business. Southfork has 
generated approximately $160,000 in revenue since we started operating in February 2013. 
Southfork' s profit has been approximately one-third of that amount, but by far its largest expense 
is compensating me and its other owner-employee. Southfork is fortunate to be in a rapidly 
growing industry and is currently attempting to acquire more employees to meet our demand, 
which is large. If the requested injunction is not entered, I project that Southfork will generate 
$2,500,000 in revenue during the next eighteen months (including Visdom-related revenue, for 
which there is significant potential), and that Southfork will continue growing after that. 

I declare under penalty of perjury that the foregoing is true and correct and was executed 
within the United States on October 22, 2013. 

/s/ 

Corey Thuen 
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CERTIFICATE OF SERVICE 



I HEREBY CERTIFY that on this 22nd day of October, 2013, 1 filed the foregoing 
document electronically through the CM/ECF system which caused the following parties or 
counsel to be served by electronic means, as more fully reflected on the Notice of Electronic 
filing: 

Scott E. Randolph 
serandolph @ hollandhart.com 
A. Dean Bennett 
adbennett @ hollandhart.com 
Mark A. Miller 
mmiller@hollandhart.com 
Ginger Utley 
gutley @ hollandhart.com 
HOLLAND & HART LLP 




Jason D. Scott 
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